|Aegis: Security Policy in Depth|
|Understanding Police Reliance on Private Data|
|Fri, 08 Oct 2021 09:03:30 -0400|
Although law enforcement investigations have always depended on information from private actors, modern technology and big data have transformed an analog collection process into an automated, digital one. This shift has elevated the role that private entities play in the investigative process, mirroring the growth of private influence across the entire criminal system. Many of these private influences have been fiercely criticized. Although there is merit to these concerns, blanket opposition to any role for private actors in the criminal system is not a sound policymaking approach. The challenge, then, is for policymakers is to distinguish beneficial private influences from harmful ones. In this paper, I suggest that in order to realize the benefits and guard against the harms of private influence, regulators should focus on private entities that have close relationships with law enforcement. These entities are least likely to push back against law enforcement and instead are more likely to become a private extension of law enforcement. Requiring these entities to register and to provide insight into their collection practices is an important step toward a more effective regulatory structure.
|Private Data/Public Regulation|
|Mon, 04 Oct 2021 09:20:49 -0400|
Policing increasingly relies on the collection of digital data, often of people for whom there is no basis for suspicion. Police seek fewer search warrants and more requests to harvest metadata, they buy data from brokers, they track location and other aspects of our lives. Sometimes police collect the data themselves. More often they gather it from third parties. They do so by purchase, and by court order. The benefits of this approach are uncertain, but placing this much personal data in the hands of the government has its costs. It endangers our personal security, and our sense of privacy. It threatens racial equity, and our right to associate, including for political activity. It puts enormous power in the government to control behavior. This article makes the novel argument that, as a matter of constitutional law, policing agencies cannot collect digital data, particularly about individuals for whom there is no suspicion of wrongdoing, without a sufficient regulatory scheme in place. This includes a justification for collection that can be shown to further public safety, and sufficient safeguards to protect individual interests. if these practices are to continue, legislative authorization and regulation is requisite.
|Modern Day General Warrants and the Challenge of Protecting Third-Party Privacy Rights in Mass, Suspicionless Searches of Consumer Databases|
|Tue, 28 Sep 2021 08:51:43 -0400|
Today, more than ever, law enforcement has access to massive amounts of consumer data that allow police to, essentially, pluck a suspect out of thin air. Internet service providers and third parties collect and aggregate precise location data generated by our devices and their apps, making it possible for law enforcement to easily determine everyone who was in a given area during a given time period. Similarly, search engines compile and store our internet searches in a way that allows law enforcement to learn everyone who searched for specific keywords like an address or the word “bomb.” And DNA is now amassed in consumer genetic genealogy databases that make it possible for law enforcement to identify almost any unknown person from their DNA, even if the unknown person never chose to add their own DNA to the database. Modern law enforcement officials very frequently conduct “suspicionless searches”—searches that are not based on individualized suspicion—on these computer databases. This article describes the problem of suspicionless searches of consumer databases, explains the threat these searches pose to privacy interests, argues that the legal arguments put forth by law enforcement in defense of these practices are flawed and suggests what should be done about the problem, both in courts and in the legislature.
|Adapting to the Cyber Domain: Comparing U.S. and U.K. Institutional, Legal and Policy Innovations|
|Tue, 25 May 2021 10:26:46 -0400|
Prime Minister Boris Johnson made it official in a statement to Parliament on Nov. 19, 2020. “I can announce that we have established a National Cyber Force, combining our intelligence agencies and service personnel,” he proclaimed, adding that it “is already operating in cyberspace against terrorism, organised crime and hostile state activity.”
Public avowal of the National Cyber Force (NCF) came as no great surprise. Plans to take this institutional step had been discussed publicly before, after all. Nonetheless, it was a significant moment in the ongoing process of tailoring U.K. institutions, policies and legal frameworks to suit the evolving nature and scale of cyber domain threats and opportunities. The NCF embodies certain distinctive characteristics of the British system, including flexibility regarding institutional roles in general and the role of intelligence agencies in particular. Much the same can be said, moreover, for another recent British organizational innovation: creation of the National Cybersecurity Centre (NCSC).
The American experience throughout this same period has been analogous in many respects—including the creation of new organizations with defensive and offensive missions—yet it is by no means identical. As we shall see, institutional formalism is far more conspicuous in the American system, and so too are anxieties about the roles of intelligence agencies. Whether these are bugs or features is, perhaps, in the eye of the beholder. The comparison between the U.K. and U.S. models, at any rate, is instructive.
|'Defend Forward' and Sovereignty|
|Fri, 30 Apr 2021 11:26:52 -0400|
Among the most discussed provisions of the Tallinn Manual 2.0 is Rule 4: “Violation of sovereignty.” Rule 4 provides: “A State must not conduct cyber operations that violate the sovereignty of another State.” Considered alone, Rule 4 is banal and unobjectionable, since there are many established sovereignty-based international-law rules that cyber operations might violate. For example, the UN Charter’s prohibition on certain uses of force and the customary international-law rule of nonintervention constrains cyber operations by one state in another. The hard question is whether international law related to sovereignty prohibits anything more. Here the commentary to Rule 4 is quite ambitious. It argues that a stand-alone customary international-law concept of state sovereignty operates to regulate and render illegal certain cyber operations that would not otherwise be illegal under any of the specific and acknowledged sovereignty-based rules of international law. This paper argues that the discrete rules articulated in the Rule 4 commentary do not reflect customary international law. The Rule 4 commentary cites very little legal authority in support of its bold conclusions and lacks any practical connection to the complex interplay of extensive state practice and opinio juris that constitutes customary international law.
|Cyberattack Attribution as Empowerment and Constraint|
|Fri, 15 Jan 2021 10:15:34 -0500|
When a state seeks to defend itself against a cyberattack, must it first identify the perpetrator responsible£ The US policy of “defend forward” and “persistent engagement” in cyberspace raises the stakes of this attribution question as a matter of both international and domestic law.
International law addresses in part the question of when attribution is required. The international law on state responsibility permits a state that has suffered an internationally wrongful act to take countermeasures, but only against the state responsible. This limitation implies that attribution is a necessary prerequisite to countermeasures. But international law is silent about whether attribution is required for lesser responses, which may be more common. Moreover, even if states agree that attribution is required in order to take countermeasures, ongoing disagreements about whether certain actions, especially violations of sovereignty, count as internationally wrongful acts are likely to spark disputes about when states must attribute cyberattacks in order to respond lawfully.
Under domestic US law, attributing a cyberattack to a particular state bolsters the authority of the executive branch to take action. Congress has authorized the executive to respond to attacks from particular countries and nonstate actors in both recent cyber-specific statutory provisions and the long-standing Authorizations for Use of Military Force (AUMFs) related to 9/11 and the Iraq War. Attribution to one of these congressionally designated sources of attack ensures that the executive branch need not rely solely on the president’s independent constitutional authority as commander in chief when responding, but instead can act with the combined authority of Congress and the president.
Common across international and US law is the fact that cyberattack attribution serves as both a potential source of empowerment and a potential constraint on governmental action. In both systems, attribution of a cyberattack to another state bolsters the US executive branch’s authority to respond, and conversely, the absence of attribution can place the executive on less certain legal footing.
This essay proceeds in three parts. It first explains cyberattack attribution and attribution’s interaction with existing international law on the use of force and state responsibility. The next section turns to the US “defend forward” policy and explores how it may spur disagreements about when states must attribute cyberattacks, even if they agree on the general legal framework set out in the first part. The essay then briefly addresses US domestic law and explains how congressional authorizations for certain military actions depend on attribution. The conclusion discusses how attribution can shape, not just be shaped by, the international and domestic legal systems.
|U.S. Cyber Command's First Decade|
|Tue, 08 Dec 2020 10:53:01 -0500|
United States Cyber Command (USCYBERCOM) turned ten years old in 2020. It is a unique institution—a military command that operates globally in real time against determined and capable adversaries and yet never fires a shot or launches a missile. The Command comprises an amalgam of military, intelligence, and information technology capabilities that came together into its present shape more by design than by fortuitous chance. That design, however, was itself a work in progress.
The Command’s first decade built upon the notion that states must operate in cyberspace at scale and in real time. “Operating” means that key national systems and data have to be “fought” like a weapons platform; in other words, they enable and execute critical sovereign functions and thus cannot be switched off or managed as discrete and individual devices. Indeed, each system and device affects the whole, and that whole is now immense. Only operational processes can harness the military’s and the government’s limited talent and resources in ways that can accomplish such global tasks on behalf of the nation, and only military components have the training, expertise, equipment, and resources to fulfill key elements of that requirement full-time and without interruption.
That vision dawned on military and civilian leaders years before the establishment of USCYBERCOM. The Command then refined the vision through actual operations. USCYBERCOM was by no means a passive medium upon which other government and industry actors imposed their visions. On the contrary, the Command’s leaders, experts, and experiences influenced the course of discussions and resulting decisions. The evolution began two decades back, as key decisions were made that framed the institutional context for USCYBERCOM. This essay tells this story, from the recognition in the 1990s that so-called “strategic information warfare” was of growing importance, to the 2009 decision to establish a unified command, to the critical roles USCYBERCOM has played of late in combatting ISIS propaganda and defending national elections. USCYBERCOM’s history is interesting not only for what it says about military innovation and bureaucratic change in the US government, but also for the insight it offers on the development of other military cyber components among America’s allies, partners, and adversaries.
|Cyberattacks and the Constitution|
|Thu, 12 Nov 2020 08:01:14 -0500|
The United States has one of the world’s strongest and most sophisticated capabilities to launch cyberattacks against adversaries. How does the US Constitution allocate power to use that capability£ And what does that allocation tell us about appropriate executive-legislative branch arrangements for setting and implementing cyber strategy£
The term “cyberattack” is often used loosely. In this essay, I define a cyberattack as action that involves the use of computer code to disrupt, degrade, destroy, or manipulate computer systems or networks or the information on them. I am not including cyber operations that are purely for information gathering or to map foreign networks in preparation for future cyberattacks.
This definition of cyberattack still includes a wide array of operations. On one end are attacks on computer systems that have effects—including kinetic, sometimes violent ones—outside those systems. Examples include the Stuxnet attack that brought down some of Iran’s nuclear centrifuges and the 2017 NotPetya attack, widely attributed to Russia, that targeted major Ukrainian companies and government agencies but spread widely and disabled computers—as well as commerce dependent on them—around the globe. At the other end are the types of low-level and often discrete attacks that appear to be contemplated by the United States “Defend Forward” concept. Examples include infiltrating adversary networks and deleting or corrupting data, or US Cyber Command’s operations that disrupted the networks of Russia’s infamous “Internet Research Agency” troll farm in the run-up to the 2018 US midterm elections. There are of course many possibilities in between.
This essay offers a way to think about the constitutional distribution of powers between the president and Congress governing the use of US cyberattack capabilities. Some commentators and analysts view this problem almost reflexively as a “war powers” issue—a term I use throughout this essay to refer to the political branches’ respective constitutional authority over the hostile use of military force. That is especially true as one moves up the scale of expected damage. A corollary to that constitutional issue is a statutory question: Namely, how should the 1973 War Powers Resolution, which was intended to restrict extensive military hostilities without congressional approval, be interpreted or amended to account for cyberattacks£ The imprecise rhetoric of “cyberwar,” “cyber conflict,” and “cyberattacks” probably contributes to this legal framing.
But many—and probably almost all—cyberattacks undertaken by the United States cannot plausibly be viewed as exercises of war powers. Indeed, the entire Defend Forward concept appears to involve low-level operations well below the “use of force” threshold under international law and far short of the types of operations that have typically triggered war powers analysis under domestic constitutional law.
This essay argues that as a conceptual and doctrinal matter, cyberattacks alone are rarely exercises of war powers—and they might never be. They are often instead best understood as exercises of other, nonwar military powers, foreign affairs powers, intelligence powers, and foreign commerce powers, among other constitutional powers not yet articulated. Although this more fine-grained and fact-specific constitutional conception of cyberattacks leaves room for broad executive leeway in some operational contexts, this discretion is often the result of congressional delegation or acquiescence as opposed to any inherent constitutional authority on the part of the president. At the same time, these alternative understandings of cyberattacks also contain a strong constitutional basis for Congress to pursue legislative regulation of the procedural and substantive parameters governing cyber operations.
Beyond those descriptive claims, this essay argues that a rush to treat cyberattacks as implicating war powers misguides criticisms about the role Congress is or is not playing in regulating cyberattacks. This is because participants in war powers debates often bring intense and polar normative stances about the appropriate institutional arrangements governing the exercise of those powers. On one end are those who prize executive speed, agility, and secrecy—and therefore presidential freedom from congressional interference. On the other end are those who see formal congressional approval for military campaigns as being of paramount constitutional importance. The latter, who want to roll back presidential unilateralism, often see cyberattacks as yet another problematic means by which presidents can evade proper congressional checks on war. But in their focus on congressional approval for military intervention, and by extension for at least some high-intensity cyberattacks, those critics may overlook other institutional arrangements that are better tailored to US cyber strategy, especially to the sort of lower-intensity activities that make up Defend Forward. They also may overlook the many important ways in which Congress is already actively involved in shaping and facilitating that strategy.
|Due Diligence and the U.S. Defend Forward Cyber Strategy|
|Tue, 20 Oct 2020 11:06:00 -0400|
As its name implies, the 2018 US Department of Defense Defend Forward strategy is principally reactive. The strategy assumes that the United States will continue to suffer harm from competitors and malign actors through cyberspace. Accordingly, it outlines US reactions in order to preempt threats, defeat ongoing harm, and deter future harm. Previous strategies have instructed similarly, but the 2018 National Cyber Strategy purports to reflect a strategic evolution in its overt commitment to countering cyber harm at its origin and to doing so not intermittently or episodically but on a “day-to-day” basis. Defending forward involves a wide range of cyber activities, but a defining feature will likely be routine nonconsensual cyber operations in the networks of hostile foreign governments and private actors.
These operations are sure to require technical, doctrinal, political, and even diplomatic reevaluations. But they also call for review of supporting international legal justifications. While a host of international law doctrines will be relevant to Defend Forward, the principle of due diligence is likely to play a significant role, in light of both the reactive nature of Defend Forward and the interconnected yet shadowy domain of cyberspace.
Well before the Defend Forward strategy or even cyberspace itself emerged, states developed the international law obligation of due diligence as an important regulation of international relations. In the incomplete and fragmented international legal system, due diligence has served as a general policing regime to manage and redress harm between states. At its most general level, due diligence requires states to take reasonable measures to put a stop to activities, whether private or public, within their borders that cause serious adverse consequences to other states. Breaches of due diligence do not require that harm be attributed to a state, only that a state knew of and failed to quell harm coming from its territory. International tribunals and publicists have repeatedly confirmed that breaches of due diligence entitle injured states to relief and reparations from offending states. Just as important, breaches of due diligence authorize victim states to react with a wide range of measures of self-correction from nondiligent states, including resorting to countermeasures.
This essay evaluates due diligence in light of the Defend Forward cyber strategy. It begins with a brief review of due diligence as an obligation of general international law, highlighting a broad base of support from international tribunals and commentators for due diligence as a freestanding rule of conduct. It then recounts recent efforts to apply due diligence to activities in cyberspace. Next, it reviews past US foreign relations experience with due diligence, including its invocation in international litigation and its use to generate favorable diplomatic outcomes. It concludes that positive US diplomatic and legal precedent counsel in favor of renewed recognition of due diligence as an obligation under general international law. It then examines how conceptions of due diligence may complement the Defend Forward strategy in cyberspace. Specifically, it suggests how the United States might best tailor a view on due diligence specific to activities in cyberspace and offer doctrinal refinements that might be acknowledged in light of the US Defend Forward strategy.
|Covert Deception, Strategic Fraud, and the Rule of Prohibited Intervention|
|Thu, 24 Sep 2020 12:15:06 -0400|
If information is power, then the corruption of information is the erosion, if not the outright usurpation, of power. This is especially true in the information age, where developments in the technological structure and global interconnectedness of information and telecommunications infrastructure have enabled states to engage in malicious influence campaigns at an unprecedented scope, scale, depth, and speed. The Digital Revolution and the attendant evolution of the global information environment have intensified, if not generated, what one expert describes as “one of the greatest vulnerabilities we as individuals and as a society must learn to deal with.” The relative explosion of digital information and communications technology (ICT) and the modern information environment it has enabled “have resulted in a qualitatively new landscape of influence operations, persuasion, and, more generally, mass manipulation.”
As evidenced by Russia’s ongoing efforts at election interference in the United States and Europe, the role of information conflict in global strategic competition has evolved and taken on new weight. A number of revisionist states, Russia and China chief among them, have fully embraced the new reality of the modern information environment, deftly adapting their capabilities and strategies to exploit the societal vulnerabilities it exposes. They have incorporated sustained, hostile influence campaigns as a central part of their destabilizing strategies to cause or exacerbate societal divisions, disrupt political processes, weaken democratic institutions, and fracture alliances, all with a broader aim of undermining the rules-based international order and gaining competitive advantage.
The anchor for these campaigns is the extensive and deep use of ICTs to conduct covert deception and disinformation operations at an extraordinary scale. Deployed at a strategic level, malign influence and disinformation operations have the very real potential to undermine and disrupt a targeted state’s independent exercise of core governance prerogatives. Along with the advent of hostile cyber operations, these ICT-enhanced deception campaigns have raised challenging questions about whether and how international law applies to these novel state interactions.
This paper contends that the customary international law prohibition against intervening in the internal and external affairs of another state provides an important yet underdeveloped legal tool to help address these threats. It considers the rule’s applicability to the murky and evolving landscape of information conflict and argues for an interpretation of the non-intervention rule better suited to the realities of the information age, where strategic covert deception and disinformation campaigns are being deployed at an unprecedented scale to subvert states’ free will over their political, electoral, and public policy prerogatives. First, it explains the scope and global scale of the covert deception and disinformation problem. The paper then walks through the international law rule of prohibited intervention, the sovereign interests it shields, and the ill-defined concept of coercion that has evolved to demarcate the line between legitimate influence and internationally wrongful intervention. Outside of the cyber context, the law frequently regulates deception either directly in the form of fraud-based proscriptions, or indirectly by making deception a constructive substitute for force or coercion elements of other crimes. These are foundational precepts that should inform states’ understanding and application of the non-intervention rule in the fast-evolving context of cyber and information conflict. The paper concludes by evaluating how to apply this understanding of nonintervention and reflecting on the role of international law in maintaining a rules-based international order in the information age.